Authentication over a network using one-way tokens

ABSTRACT

A method for authenticating an entity at a first data resource, the method comprising the steps of: sending a first request token from the entity ( 100 ) to a token distribution unit ( 20 ) to request a first one-way authentication token, the first request token being a function of authentication information provided by the entity ( 100 ); sending the first one-way authentication token from the token distribution unit ( 20 ) to the entity ( 100 ); sending the first one-way authentication token from the entity ( 100 ) to the first data resource ( 200 ) to authenticate the entity ( 100 ) at the first data resource ( 200 ); sending the first one-way authentication token from the first data resource ( 200 ) to the token distribution unit ( 20 ) to validate the first one-way token; and invalidating the first one-way token.

1. PRIORITY DATA

This application is a continuation of, and claims benefit of priorityto, U.S. application Ser. No. 11/253,958, titled “Authentication Methodand Devices”, filed Oct. 19, 2005 now U.S. Pat. No. 8,028,331, whoseinventors were Eckehard Hermann and Dieter Hermann Kessler, which claimsbenefit of priority to European Patent Application Serial No. EP 04 025186.0, titled “Authentication Method and Devices”, filed Oct. 22, 2004,whose inventors were Eckehard Hermann and Dieter Hermann Kessler, bothof which are incorporated by reference in their entirety as though fullyand completely set forth herein.

2. TECHNICAL FIELD

The present invention relates to a method for authenticating an entityat a data resource.

3. THE PRIOR ART

Access to data resources such as data bases or applications running on amain-frame computer is typically controlled by providing an authorizeduser with a password. However, since data resources are nowadays moreand more distributed, the authentication information, such as the username and the password or a certificate, must be sent over sometimesunsecured channels between the client application of the user and theaddressed data resource. This is particularly a problem if a userintends to access a data resource which is not directly connected theclient application but only via one or more intermediate servers or thelike so that the authentication information is passed on over variouschannels. In such a situation, the user cannot control, whether all ofthe sections of the communication between the client application and theaddressed data resource are indeed secured.

One way of improving the security of authentication information is theuse of tokens, i.e., virtual objects, passed from the client to the dataresource for authentication. To obtain a token, a client sends at firstauthentication information to a trusted third party. If the client isauthenticated, the trusted third party issues a token to the client,wherein in some systems the trusted third party also verifies theauthorization of the client to access a certain data resource. By meansof this token the client can access the various data resources, whichmay validate the token with the trusted third party. As a result it isno longer the authentication information itself, which is sent over thepossibly unsecured channels, but only a token.

However, even if tokens are used, an attacker could listen to thecommunication between the client and one or more data resources and tryto gain access by replaying bit sequences sent to the data resources,which may contain the token. Accordingly, there is still a considerablerisk that the identity of a user is “hijacked” and subsequently used togain access to various data sources of a distributed network withoutbeing authorized.

It is therefore the problem of the present invention to provide a methodfor authenticating an entity, such as a user or a client application, ata data resource, which overcomes the above explained disadvantages ofthe prior art and allows a secure access control, even if thecommunication between the entity and the data resources uses one or moreunsecured channels.

4. SUMMARY OF THE INVENTION

According to a first aspect of the present invention, this problem issolved by a method for authenticating an entity at a first dataresource, the method comprising the steps of:

-   -   sending a first request token from the entity to a token        distribution unit to request a first one-way authentication        token, the first request token being a function of        authentication information provided by the entity,    -   sending the first one-way authentication token from the token        distribution unit to the entity;    -   sending the first one-way authentication token from the entity        to the first data resource to authenticate the entity at the        first data resource,    -   sending the first one-way authentication token from the first        data resource to the token distribution unit to validate the        first one-way token; and    -   invalidating the first one-way token.

Accordingly, instead of the single token of the prior art, there are twotypes of tokens: Request tokens, which are sent from the entity to thetoken distribution unit and one-way authentication tokens, which arereceived by the entity in response and which can be used forauthentication of the entity at the data resource only once. After theone-way authentication token is sent from the data resource to the tokendistribution unit to verify that it is a correct authentication token,it is invalidated.

As a consequence, each authentication token travels from the tokendistribution unit to the entity, from the entity to the data resourceand back to the token distribution unit. The described life-cycle isonly passed once and only in the indicated direction, before the one-wayauthentication token is invalidated. As a consequence, a data resourcereceiving the same one-way authentication token for the second time,will immediately recognize that a replay attack or the like is takingplace and block the access to its data. This allows to transmit theauthentication token over an unsecured channel without the risk of ahijack of the identity of the origin of the authentication information.

A further advantage of the present invention is that the one-wayauthentication token can be made much smaller than ordinary digitallysigned tokens. The authentication token may for example consist of only16 bytes, which facilitates its integration into existing programs.

Preferably, the token distribution unit sends the first request tokenused in the first method step to the entity in response to theauthentication information being sent to the token distribution unitfrom the entity. Accordingly, a client sends at first authenticationinformation, such as a username and a password or a certificate, to thetoken distribution unit and receives in response a request token, whichallows to obtain an authentication token for a single access of a dataresource.

The security of the communication is further increased, if the one-wayauthentication token is valid only for a predefined limited time. Bycontrast, the first request token can preferably be reused by the entityto obtain further one-way authentication tokens to authenticate theentity at the first data resource again and/or at other data resources.Since the request token is in contrast to the authentication tokenpreferably not transmitted over the unsecured channel(s) between theentity and the data resource(s), there is no risk that this token isintercepted by an attacker.

In a particularly preferred embodiment of the first aspect of theinvention the method comprises

-   -   sending a second request token from the token distribution unit        to the first data resource in response to the validation of the        first one-way authentication token; and preferably    -   sending the second request token from the first data resource to        the token distribution unit to request a second one-way        authentication token;    -   sending the second one-way authentication token from the token        distribution unit to the first data resource;    -   sending the second one-way authentication token from the first        data source to a second data resource to authenticate the entity        also at the second data resource;    -   sending the second one-way authentication token from the second        data resource to the token distribution unit to validate the        second one-way authentication token; and    -   invalidating the second one-way authentication token.

Accordingly, the inventive concept of using one-way authenticationtokens can also be extended to a situation, wherein a first dataresource has to contact a second data resource to meet a request fromthe entity. To this end, the process is repeated, i.e. the first dataresource is provided with a second request token to obtain a secondauthentication token, which it will then forward for authentication at asecond data resource. The second data resource in turn validates thesecond authentication token at the token distribution unit, which leadsfinally to the invalidation of the second authentication. It is apparentthat the described method can be cascaded so that chains of dataresources of any length can be securely accessed by the method of thepresent invention, even if one or more of the channels linking thechained data resources are unsecured.

According to a further aspect, the present invention is directed to atoken distribution unit comprising a request token issue unit issuing afirst request token in response to the receiving of authenticationinformation from an entity, an authentication token issue unit issuing aone-way authentication token in response to the receiving of the firstrequest token from the entity, a validation unit validating the one-wayauthentication token for a data resource, and an invalidation unitinvalidating the authentication token issued by the authentication tokenissue unit and received with a validation request form the dataresource.

Finally, the present invention relates according to a still furtheraspect to a first data resource comprising an access control unitreceiving a one-way authentication token to gain access to the data ofthe first data resource, a validation request unit sending a receivedone-way authentication token to a token distribution unit and obtaininga request token in response, and an authentication token obtaining unitsending the request token to the token distribution unit to obtain aone-way authentication token for a single access of the first dataresource at a second data resource.

Further dependent claims relate to preferred embodiments of the methodand the token distribution unit.

5. SHORT DESCRIPTION OF THE DRAWINGS

In the following detailed description presently preferred embodiments ofthe invention are described with reference to the drawings which show:

FIG. 1: An arrangement of a web server connected to several dataresources to illustrate the problem underlying the present invention;and

FIG. 2: a schematic representation of the various steps performed in amethod in accordance with a preferred embodiment of the presentinvention.

6. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

FIG. 1 illustrates a typical situation as it is encountered in today'sdistributed networks of data resources: A web server 100 provides accessfor a user not only to the files of the web server 100 itself but alsoto several data resources either directly or indirectly connected to theweb server 100. The data resources may in an exemplary configurationcomprise one ore more applications 200, 500, running for example on oneor more mainframe computers (not shown), and a server 300 with a database managing program handling requests for a database 400, such as anAdabas database.

When a user at the web server 100 wants to access data at the database400, his request is initially sent from the web server 100 to theapplication 200, which processes the request and sends a correspondingrequest to the server 300, which finally sends a request to the database400. Whenever one of the data resources 200, 300 or 400 receives arequest, it requires authentication information which enables therespective data resource to verify, whether the requesting user isauthorized to access the requested data. As a result, the authenticationinformation has in the above example to be communicated over thechannels a, b and c (cf. FIG. 1).

Whereas in the past the various applications, server and databases weretypically localized in one, generally secure location interconnected bysecure channels, the various data resources are nowadays typicallydistributed over several locations and interconnected by more or lessopen networks such as the Internet or an Intranet. As a consequence, thechannels a, b, c, d are no longer secured channels. In particular, auser entering his authentication information at the web server 100 doesnot know and cannot control, whether one or more of the channels a, b,c, which are used to process his request, are secured or not. Therefore,there is a considerable risk that the authentication informationsupplied by a user and thereby his identity may be hijacked on its wayto the data server 400.

The method according to the invention improves the security for theauthentication process by providing an Integrated AuthenticationFramework (IAF) 20 as shown in FIG. 2. In the following, the function ofthe IAF 20, in particular its distribution of various tokens, isdescribed with respect to the specific network of data resources shownin FIG. 2. However, it is to be understood, that the IAF 20 and themethod steps described below can also be applied to any other network ofdistributed data resources. Further, whereas the description refers inthe following to a data request of a user at a web server 100, themethod and the system of the present invention can also be used for databeing sent from the web server 100 to any of the data resources 200,300, 400 and 500 or data being simply processed at one of the dataresources.

A user trying to access data at any of the data resources 200, 300, 400or 500 enters the authentication information at the web server 100. Theweb server 100 forwards the authentication information of the user,typically the username and the password or a certificate, to the IAF 20.The channel f is a secured channel similar to all other channels g, h,and i, which preferably directly connect the IAF 20 to the various dataresources 200, 300, 400, 500. Instead of a (human) user, the wholeprocess may also be started by an application running on the web server100 or an interconnected client application, which requests data fromone of the data resources 200, 300, 400 or 500 of the network. In thiscase the authentication information sent to the IAF will be provided bythe client application (not shown), for example in the form of acertificate.

When the IAF 20 receives the authentication information from the webserver 100, it verifies its content and issues in response a firstrequest token to the web server 100. The request token is a unique setof bytes, typically 16 bytes, created by the IAF 20, which enables theweb server 100 to obtain from the IAF 20 one or more one-wayauthentication tokens, which the web server 100 can then use to accessdata at one of the data resources 200 or 500. Whenever the web server100 needs a further one-way authentication token, it will again send therequest token to the IAF 20, which will again respond with issuing afurther one-way authentication token to the web server 100. The firstauthentication token for the web server 100 can alternatively be sentalready together with the initial issuing of the request token to reducedata traffic from and to the IAF 20.

The exchange of the authentication information and the request tokenbetween the web server 100 and the IAF is illustrated by the twocontinuous arrows on the left side of FIG. 2. The path of the one-wayauthentication tokens used in the method illustrated by FIG. 2 isindicated by dotted or dash-dotted arrows. As can be seen, the firstauthentication token called “authentication token 1” is sent from theIAF 20 to the requesting web server 100. If the web server 100 needsdata from the data resource 200, it will forward the authenticationtoken 1 to the data resource 200.

In order to verify that the received one-way authentication token 1 hasindeed been issued by the IAF 20, the data resource 200 will sent theone-way authentication token 1 received over the unsecured channel aback to the IAF 20 via the preferably secured channel g. The IAF 20,which preferably keeps track of all issued one-way authenticationtokens, validates the correctness of the authentication token receivedfrom the data resource 200. The IAF 20 may further check, whether apredefined time limit for the validity of the authentication token 1 hasalready expired and, if so, instruct the data resource 200 not to allowthe access to the requested data. Otherwise, i.e. if the validation issuccessful, the IAF 20 issues a corresponding message to the dataresource 200, which then responds to the request of the web server 100.

Finally, the IAF invalidates the authentication token 1, which can thenno longer be used to access any data in the network of FIG. 2. As can beseen, the authentication token 1 has a life-cycle, which starts with theissuing at the IAF 20 and which terminates with its final invalidationat the IAF 20. For any further request of data or sending of data fromthe web server 100 to the data resource 200 or another connected dataresource 500, the web server 100 will need a further one-wayauthentication token. In this case, the web server 100 will send oncemore its request token to the IAF 20, which will respond with a furtherone-way authentication token.

Since any one-way authentication token of the described method will onlybe used once and therefore only once travel along the possibly unsecuredchannel a (or one of the other channels b, c, d, see below), it is of noconcern if an attacker listens on one of the unsecured channels forauthentication information. Even if he succeeds to somehow catch theone-way authentication token during its single path from the web server100 to the data resource 200, he can not reuse the authentication tokenfor any unauthorized data access. This is, since the IAF 20 will notvalidate a second use of the already invalidated authentication token,when it is received again from the data resource 200 for validation.Alternatively such a reused authentication token may already be rejectedby the data resource 200, if it keeps track of the received one-wayauthentication tokens.

If the data requested by the web server 100 is not available on the dataresource 200, it might be necessary that the data resource 200 contactsa further data resource, for example the server 300. This can be done asfollows:

When the data resource 200 validates the authentication token 1 bysending it along the channel g to the IAF 20, it receives as a responsenot only a confirmation about the validity of the authentication token 1but also a request token. This second request token—the first requesttoken is the request token of the web server 100—can be used by the dataresource 200 to obtain an a one-way authentication token, called in thefollowing authentication token 2, for accessing the server 300. To thisend, the data resource 200 sends its request token to the IAF 20, whichverifies the request token and responds with the requested one-wayauthentication token 2. Alternatively, the IAF 20 can provide the dataresource 200 with the first one-way authentication token together withsending the request token, if it is desired to reduce the data trafficon the channel g.

In a similar manner as the web server 100 uses the one-wayauthentication token 1 to access the data resource 200, the dataresource 200 can now access the server 300, which will then validate theone-way authentication token 2 by sending it back to the IAF 20, whereit is checked and finally invalidated.

As can be seen from FIG. 2, this process can be repeated to access thedata base 400, so that finally the one-way authentication tokens 1, 2and 3 are used for the overall transaction. However, since all of thethree tokens are used only once, the overall request from the web server100 to the data base 400 can be processed via one or more unsecuredchannels without the risk of a hijacking of authentication informationand thereby the identity of a user.

When the described method is used with all data sources 200, 300, 400and 500 participating, there will finally be a situation, wherein eachdata resource is provided with its respective request token. Eachrequest token is bound to one member of the network, i.e. the web server100 or any of the data resources 200, 300, 400 and 500. However, therequest tokens may also be provided with a time limit so that they willbe automatically invalidated when a predefined time has elapsed.Clearly, the time limit may be different for different participants ofthe network.

Finally, the request tokens may further be used by any of theparticipants of the network to get more information about the user. Forexample, if the data resource 500 needs additional information about theuser in order to respond to a request from the web server 100 or toexecute a certain task, it can send a command such as “getinfo(requesttoken)” to the IAF 20. Since any request token used by the various dataresources and the web server 100 is a function of the authenticationinformation initially sent to the IAF 20 and stored by the IAF, the IAFcan then provide the required information, for example the full name ofa user, his address, his degree of authorization etc.

1. A token distribution unit comprising one or more processors and oneor more memories, wherein the one or more memories comprise programinstructions which are executable by the one or more processors toimplement: a request token issue unit issuing a first request token to acomputer system of an entity in response to receiving authenticationinformation from the computer system of the entity, wherein the computersystem of the entity, a first data resource, and a second data resourceare connected to the token distribution unit over respective securedchannels, wherein the computer system of the entity, the first dataresource, and the second data resource are distributed over separatelocal or remote locations and interconnected by unsecured channels,wherein the first request token is issued over the secured channelbetween the computer system of the entity and the token distributionunit, and wherein the first request token is transmitted only over thesecured channel between the computer system of the entity and the tokendistribution unit; a one-way authentication token issue unit issuing afirst one-way authentication token to the computer system of the entityin response to receiving the first request token from the computersystem of the entity; a validation unit validating the first one-wayauthentication token received from the first data resource; and aninvalidation unit invalidating the first one-way authentication tokenissued by the authentication token issue unit and received with avalidation request from the first data resource, wherein the firstone-way authentication token travels directly from the tokendistribution unit to the computer system of the entity, from thecomputer system of the entity to the first data resource and from thefirst data resource back to the token distribution unit only once and inthe indicated direction, before being invalidated by the tokendistribution unit; wherein the request token issue unit issues a secondrequest token to the first data resource over the secured channelbetween the first data resource and the token distribution unit when thevalidation unit has successfully validated the first one-wayauthentication token for the first data resource, wherein the secondrequest token is transmitted only over the secured channel between thefirst data resource and the token distribution unit, and wherein thesecond request token is used by the first data resource to obtain asecond one-way authentication token from the authentication token issueunit for a single access of the first data resource at the second dataresource.
 2. The token distribution unit of claim 1, wherein the firstone-way authentication token is valid only for a predefined limitedtime.
 3. The token distribution unit of claim 1, wherein the firstrequest token is reuseable by the computer system of the entity toobtain further one-way authentication tokens to authenticate the entityat the first data resource again and/or at other data resources.
 4. Thetoken distribution unit of claim 1, wherein the program instructions arefurther executable by the one or more processors to implement: the tokendistribution unit receiving the second request token from the first dataresource to request a second one-way authentication token; the tokendistribution unit sending the second one-way authentication token to thefirst data resource, wherein the first data source sends the secondone-way authentication token to a second data resource to authenticatethe entity also at the second data resource, and wherein the second dataresource sends the second one-way authentication token to the tokendistribution unit to validate the second one-way token; and theinvalidation unit invalidating the second one-way token.
 5. The tokendistribution unit of claim 1, wherein the program instructions arefurther executable by the one or more processors to implement: the tokendistributing unit receiving a command including the second requesttoken; and the token distributing unit sending information about theentity to the first data resource.
 6. One or more non-transitorycomputer-accessible memory mediums that store program instructionsexecutable by one or more processors to implement: a request token issueunit issuing a first request token to a computer system of an entity inresponse to receiving authentication information from the computersystem of the entity, wherein the computer system of the entity, a firstdata resource, and a second data resource are connected to the tokendistribution unit over respective secured channels, wherein the computersystem of the entity, the first data resource, and the second dataresource are distributed over separate local or remote locations andinterconnected by unsecured channels, wherein the first request token isissued over the secured channel between the computer system of theentity and the token distribution unit, and wherein the first requesttoken is transmitted only over the secured channel between the computersystem of the entity and the token distribution unit; a one-wayauthentication token issue unit issuing a first one-way authenticationtoken to the computer system of the entity in response to receiving thefirst request token from the computer system of the entity; a validationunit validating the first one-way authentication token received from thefirst data resource; and an invalidation unit invalidating the firstone-way authentication token issued by the authentication token issueunit and received with a validation request from the first dataresource, wherein the first one-way authentication token travelsdirectly from the token distribution unit to the computer system of theentity, from the computer system of the entity to the first dataresource, and from the first data resource back to the tokendistribution unit only once and in the indicated direction, before beinginvalidated by the token distribution unit; wherein the request tokenissue unit issues a second request token to the first data resource overthe secured channel between the first data resource and the tokendistribution unit when the validation unit has successfully validatedthe first one-way authentication token for the first data resource,wherein the second request token is transmitted only over the securedchannel between the first data resource and the token distribution unit,and wherein the second request token is used by the first data resourceto obtain a second one-way authentication token from the authenticationtoken issue unit for a single access of the first data resource at thesecond data resource.
 7. The one or more non-transitorycomputer-accessible memory mediums of claim 6, wherein the first one-wayauthentication token is valid only for a predefined limited time.
 8. Theone or more non-transitory computer-accessible memory mediums of claim6, wherein the first request token is re-useable by the computer systemof the entity to obtain further one-way authentication tokens toauthenticate the entity at the first data resource again and/or at otherdata resources.
 9. The one or more non-transitory computer-accessiblememory mediums of claim 6, wherein the program instructions are furtherexecutable by the one or more processors to implement: the tokendistribution unit receiving the second request token from the first dataresource to request a second one-way authentication token; the tokendistribution unit sending the second one-way authentication token to thefirst data resource; the first data source sending the second one-wayauthentication token to a second data resource to authenticate theentity also at the second data resource; the second data resourcesending the second one-way authentication token to the tokendistribution unit to validate the second one-way authentication token;and the invalidation unit invalidating the second one-way authenticationtoken.
 10. The one or more non-transitory computer-accessible memorymediums of claim 6, wherein the program instructions are furtherexecutable by the one or more processors to implement: the tokendistributing unit receiving a command including the second requesttoken; and the token distributing unit sending information about theentity to the first data resource.
 11. One or more non-transitorycomputer-accessible memory mediums that store program instructionsexecutable by one or more processors to implement: issuing a firstrequest token to a computer system of an entity in response to receivingauthentication information from the computer system of the entity,wherein the computer system of the entity, a first data resource, and asecond data resource are connected to the one or more processors overrespective secured channels, wherein the computer system of the entity,the first data resource, and the second data resource are distributedover separate local or remote locations and interconnected by unsecuredchannels, wherein the first request token is issued over the securedchannel between the computer system of the entity and the one or moreprocessors, and wherein the first request token is transmitted only overthe secured channel between the computer system of the entity and theone or more processors; issuing a first one-way authentication token tothe computer system of the entity in response to receiving the firstrequest token from the computer system of the entity; validating thefirst one-way authentication token received from the first dataresource; and invalidating the first one-way authentication tokenreceived with a validation request from the first data resource, whereinthe first one-way authentication token travels directly from the one ormore processors to the computer system of the entity, from the computersystem of the entity to the first data resource, and from the first dataresource back to the one or more processors only once and in theindicated direction, before being invalidated by the one or moreprocessors; issuing a second request token to the first data resourceover the secured channel between the first data resource and the one ormore processors when the validation unit has successfully validated thefirst one-way authentication token for the first data resource, whereinthe second request token is transmitted only over the secured channelbetween the first data resource and the one or more processors, andwherein the second request token is used by the first data resource toobtain a second one-way authentication token from the one or moreprocessors for a single access of the first data resource at the seconddata resource.
 12. A first data resource comprising one or moreprocessors and one or more memory mediums, wherein the one or morememory mediums comprise program instructions which are executable by theone or more processors to implement: an access control unit receiving afirst one-way authentication token from a computer system of an entityto gain access to data of the first data resource, wherein the computersystem of the entity, the first data resource, and a second dataresource are connected to a token distribution unit over respectivesecured channels, wherein the computer system of the entity, the firstdata resource, and the second data resource are distributed overseparate local or remote locations and interconnected by unsecuredchannels, and wherein the first one-way authentication token is receivedfrom the computer system of the entity over the unsecured channelbetween the computer system of the entity and the first data resource; avalidation request unit sending the received first one-wayauthentication token to the token distribution unit and obtaining arequest token in response to successful validation of the first one-wayauthentication token by the token distribution unit, wherein the requesttoken is transmitted only over the secured channel between the firstdata resource and the token distribution unit; and a one-wayauthentication token obtaining unit sending the request token to thetoken distribution unit over the secured channel between the first dataresource and the token distribution unit to obtain a second one-wayauthentication token for a single access of the first data resource atthe second data resource, wherein the second one-way authenticationtoken for a single access of the first data resource at the second dataresource travels directly from the token distribution unit to the firstdata resource, from the first data resource to the second data resource,and from the second data resource back to the token distribution unitonly once and in the indicated direction before being invalidated by thetoken distribution unit.
 13. The first data resource of claim 12,wherein the first one-way authentication token is valid only for apredefined limited time.
 14. The first data resource of claim 12,wherein a request token is reuseable by the computer system of theentity to obtain further one-way authentication tokens to authenticatethe entity at the first data resource again and/or at other dataresources.
 15. The first data resource of claim 12, wherein the programinstructions are further executable by the one or more processors toimplement: the first data resource receiving information about theentity from the token distributing unit in response to the tokendistributing unit receiving a command including the request token. 16.One or more non-transitory computer-accessible memory mediums that storeprogram instructions executable by one or more processors to implement:an access control unit receiving a first one-way authentication tokenfrom a computer system of an entity to gain access to data of a firstdata resource, wherein the computer system of the entity, the first dataresource, and a second data resource are connected to a tokendistribution unit over respective secured channels, wherein the computersystem of the entity, the first data resource, and the second dataresource are distributed over separate local or remote locations andinterconnected by unsecured channels, and wherein the first one-wayauthentication token is received from the computer system of the entityover the unsecured channel between the computer system of the entity andthe first data resource; a validation request unit sending the receivedfirst one-way authentication token to the token distribution unit andobtaining a request token in response to successful validation of thefirst one-way authentication token by the token distribution unit,wherein the request token is transmitted only over the secured channelbetween the first data resource and the token distribution unit; and aone-way authentication token obtaining unit sending the request token tothe token distribution unit over the secured channel between the firstdata resource and the token distribution unit to obtain a second one-wayauthentication token for a single access of the first data resource atthe second data resource, wherein the second one-way authenticationtoken for a single access of the first data resource at the second dataresource travels directly from the token distribution unit to the firstdata resource, from the first data resource to the second data resource,and from the second data resource back to the token distribution unitonly once and in the indicated direction before being invalidated by thetoken distribution unit.
 17. The one or more non-transitorycomputer-accessible memory mediums of claim 16, wherein the firstone-way authentication token is valid only for a predefined limitedtime.
 18. The one or more non-transitory computer-accessible memorymediums of claim 16, wherein a request token is re-useable by thecomputer system of the entity to obtain further one-way authenticationtokens to authenticate the entity at the first data resource againand/or at other data resources.
 19. The one or more non-transitorycomputer-accessible memory mediums of claim 16, wherein the programinstructions are further executable by the one or more processors toimplement: the first data resource receiving information about theentity from the token distributing unit in response to the tokendistributing unit receiving a command including the request token. 20.One or more non-transitory computer-accessible memory mediums that storeprogram instructions executable by one or more processors of a firstdata resource to implement: receiving a first one-way authenticationtoken from a computer system of an entity to gain access to data of thefirst data resource, wherein the computer system of the entity, thefirst data resource, and a second data resource are connected to a tokendistribution unit over respective secured channels, wherein the computersystem of the entity, the first data resource, and the second dataresource are distributed over separate local or remote locations andinterconnected by unsecured channels, and wherein the first one-wayauthentication token is received over the unsecured channel between thecomputer system of the entity and the first data resource; sending thereceived first one-way authentication token to the token distributionunit and obtaining a request token in response to successful validationof the first one-way authentication token by the token distributionunit, wherein the request token is transmitted only over the securedchannel between the first data resource and the token distribution unit;and sending the request token to the token distribution unit over thesecured channel between the first data resource and the tokendistribution unit to obtain a second one-way authentication token for asingle access of the first data resource at the second data resource,wherein the second one-way authentication token for a single access ofthe first data resource at the second data resource travels directlyfrom the token distribution unit to the first data resource, from thefirst data resource to the second data resource, and from the seconddata resource back to the token distribution unit only once and in theindicated direction before being invalidated by the token distributionunit.